From owner-freebsd-current@FreeBSD.ORG  Wed Jun 29 11:09:48 2011
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5AECA1065673
	for <freebsd-current@freebsd.org>; Wed, 29 Jun 2011 11:09:48 +0000 (UTC)
	(envelope-from se@freebsd.org)
Received: from nm1.bullet.mail.bf1.yahoo.com (nm1.bullet.mail.bf1.yahoo.com
	[98.139.212.160])
	by mx1.freebsd.org (Postfix) with SMTP id F276A8FC1F
	for <freebsd-current@freebsd.org>; Wed, 29 Jun 2011 11:09:47 +0000 (UTC)
Received: from [98.139.212.153] by nm1.bullet.mail.bf1.yahoo.com with NNFMP;
	29 Jun 2011 10:57:18 -0000
Received: from [98.139.211.200] by tm10.bullet.mail.bf1.yahoo.com with NNFMP;
	29 Jun 2011 10:57:18 -0000
Received: from [127.0.0.1] by smtp209.mail.bf1.yahoo.com with NNFMP;
	29 Jun 2011 10:57:18 -0000
X-Yahoo-Newman-Id: 607633.19837.bm@smtp209.mail.bf1.yahoo.com
Received: from [192.168.119.20] (se@81.173.144.90 with plain)
	by smtp209.mail.bf1.yahoo.com with SMTP; 29 Jun 2011 03:57:18 -0700 PDT
X-Yahoo-SMTP: iDf2N9.swBDAhYEh7VHfpgq0lnq.
X-YMail-OSG: I5d.GDIVM1k65EH9rZKcmLymzivVWcYWu1hWBWt8Z7qnjVj
	tVxCOeEsKmQVjUoy0W1bavxCjbGVVBFrCoVwCnBiOH_f_pLforymz4Y3ExbX
	xyRT62UEs.nmtzIuH7ILWazcFVrhzCk10aaWvDHtevaTFh3D__behkIdpzoy
	5bzWuaah0hvydd02eeyIv.CrhnfkoCztxJv6tx5ZbgsXGAVYNv8KbglLm4O3
	iVkgx35NceUgcAdhAwVyiGytxBb57Vvo8jWQOQTvu34Oxi5JE51Q84dkP3in
	texMUZ4JihhMW2BbgJvP8r67Npp9HtpSeA84IUUqcMkcdLroXlYhmQ4qkKTd
	B4Y26G8BhOeSuRPmY6_DMx1dgG871fIloaO3R_wU-
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4E0B050D.6090408@freebsd.org>
Date: Wed, 29 Jun 2011 12:57:17 +0200
From: Stefan Esser <se@freebsd.org>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
	rv:5.0) Gecko/20110624 Thunderbird/5.0
MIME-Version: 1.0
To: bschmidt@freebsd.org
References: <4E099EB2.7050902@freebsd.org>
	<BANLkTim601dRADEPz4sbETwMiEBt0YqyHg@mail.gmail.com>
	<4E0AE815.2070502@freebsd.org>
	<201106291241.17371.bschmidt@freebsd.org>
In-Reply-To: <201106291241.17371.bschmidt@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: Adrian Chadd <adrian@freebsd.org>, freebsd-current@freebsd.org
Subject: Re: Panic in ieee80211 tx mgmt timeout
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jun 2011 11:09:48 -0000

Am 29.06.2011 12:41, schrieb Bernhard Schmidt:
> On Wednesday, June 29, 2011 10:53:41 Stefan Esser wrote:
>> I recreated the panic, this time with kernel dumps correctly configured
>> (thanks for the hint, Scott). The panic message is:
>>
>> Fatal trap 12: page fault while in kernel mode
>> cpuid = 0; apic id = 00
>> fault virtual address   = 0xffffff809c7a1000
>> fault code              = supervisor read data, page not present
>> instruction pointer     = 0x20:0xffffffff805e1851
>> stack pointer           = 0x28:0xffffff8000288ab0
>> frame pointer           = 0x28:0xffffff8000288b60
>> code segment            = base 0x0, limit 0xfffff, type 0x1b
>>                         = DPL 0, pres 1, long 1, def32 0, gran 1
>> processor eflags        = interrupt enabled, resume, IOPL = 0
>> current process         = 11 (swi4: clock)
>>
>> Traceback:
>>
>> #10 0xffffffff805e1851 in ieee80211_tx_mgt_timeout (arg=0xffffff809c7a1000)
>>     at ../../../net80211/ieee80211_output.c:2487
>>
>> This indicates, that an invalid argument is passed and assigned to
>> "*ni", which causes the page fault when dereferencing "ni" to obtain "*va".
> 
> The problem here seems to be wpa_supplicant. It can try to associate
> at any given point in time which results in the BSS ni being destroyed,
> though it might still be referenced somewhere (In this case the timeout
> stuff, or better said ath's TX queue). Not clearing the reference (or
> stopping whatever is using it) is the fault here. Now how to figure out
> who the caller is? Got the complete backtrace?

Not sure that I understand your question correctly ...

#10 0xffffffff805e1851 in ieee80211_tx_mgt_timeout
(arg=0xffffff809c7a1000) at ../../../net80211/ieee80211_output.c:2487
#11 0xffffffff8050f45c in softclock (arg=Variable "arg" is not
available.) at ../../../kern/kern_timeout.c:564
#12 0xffffffff804d9876 in intr_event_execute_handlers (p=Variable "p" is
not available.) at ../../../kern/kern_intr.c:1257
#13 0xffffffff804da4d6 in ithread_loop (arg=0xfffffe00032dcc60) at
../../../kern/kern_intr.c:1270
#14 0xffffffff804d718d in fork_exit (callout=0xffffffff804da440
<ithread_loop>, arg=0xfffffe00032dcc60, frame=0xffffff8000288c50) at
../../../kern/kern_fork.c:920
#15 0xffffffff807258ce in fork_trampoline () at
../../../amd64/amd64/exception.S:603

Bernhard, I'm sending you the compressed "core.txt" in private mail.

Regards, STefan